CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015

Learning Objectives Upon completion of this material, you should be able to: Explain the basic concepts of a Denial-of-Service (DoS) and distributed Denial-of-Service (DDoS) attacks. Understand the nature of flooding attacks. Explain the concept of an application-based bandwidth attack. Present an overview of reflector and amplifier attacks. Summarize some of the common defences against Denial-of-Service attacks.

Required Reading Computer Security, Stallings: Chapter 7

Introduction NIST Computer Security Incident Handling Guide A Denial of Service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing unit (CPU), memory / disk-space, and bandwidth. http://realtimeprojecrtsdenniscodd.blogspot.ca/2012/01/denial-of-service-attacks-in-wireless.html

Introduction (cont.) Recent DDoS Attacks January 2013 coordinated DDoS attacks on major US banks (Bank of America, Citigroup, Wells Fargo, HSBC, ) likely attacker Izz ad-din al-quassam Cyber Fighters http://www.nytimes.com/2013/01/09/technology/online-bankingattacks-were-work-of-iran-us-officialssay.html?pagewanted=2&_r=0 type of attack: 1) DDoS through hijacking of 3 rd party Cloud data centers more powerful machines with more bandwidth; peaks of 70 Gbps 2) encrypted DDoS bandwidth + processing DDoS

Introduction (cont.) Recent DDoS Attacks March 2013 300 Gbps DDoS attack on Spamhaus (a non-profit organization for fighting spam) likely attacker CyberBunker (Dutch-based web hosting company, after being added to Spamhaus spam list) type of attack: DNS reflection & amplification http://www.bbc.com/news/technology-21954636 http://securityskeptic.typepad.com/the-security -skeptic/anatomy-of-dns-ddos-attack.html

Introduction (cont.) http://hackmageddon.com/category/security/cyber-attacks-statistics/

http://computer.howstuffworks.com/internet/basics/internet-infrastructure1.htm Categories of DoS Attacks DoS Targeting Bandwidth bandwidth = capacity of network link connecting a server typically, server bandwidth << ISP bandwidth possible to congest server link => degraded/non-existent service for (some) legitimate users

Categories of DoS Attacks DoS Targeting Bandwidth server/application throughput vs. incoming traffic rate Most of the key Internet protocol (e.g., TCP) react to packet delay/loss by retransmitting packets. Thus, in case of DDoS, overall number of packets increases, while the % of actual packets that reach the intended destination decreases. http://users.ece.cmu.edu/~dbrumley/courses/18487-f10/files/ddos.pdf

Categories of DoS Attacks (cont.) DoS Targeting Bandwidth TCP vs. UDP reaction to bandwidth DoS attack http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6519235

http://localare.blogspot.ca/2012/10/protocol-tcp-ip.html Categories of DoS Attacks (cont.) DoS Targeting Bandwidth flooding most common type of bandwidth DDoS examples: ICMP Flood (e.g., ICMP Echo Request) UDP, TCP Flood (on open or closed ports) HTTP Flood

http://natsys-lab.blogspot.ca/2013/03/whats-wrong-with-sockets-performance.html Categories of DoS Attacks (cont.) DoS Targeting System Resources aim to consume limited server s OS-level resources, e.g. buffers holding arriving IP packets tables of open TCP connections

Categories of DoS Attacks (cont.) DoS Targeting System Resources examples: TCP-SYN Flood attacker sends a flood of TCP-SYN requests in possibly spoofed IP packets => 3-way handshake never completed half-open connections bind server resources no new connections can be made normal 3-way TCP handshake TCP-SYN flood

Categories of DoS Attacks (cont.) DoS Targeting Application Resources involve valid-looking application requests that 1) consume significant application resources, or 2) cause application to crash examples: HTTP attack requesting large PDF files from a server attack on a web server that makes database queries using computationally-costly requests

Categories of DoS Attacks (cont.) DoS vs. DDoS Attacks DoS attack one attacking machine Distributed DoS attack employ numerous attacking machines so called botnets direct DDoS attacks reflector DDoS attacks amplification DDoS attacks http://www.tik.ee.ethz.ch/~ddosvax/talks/ddos_td.pdf

DDoS Attacks: Botnet Botnet for DDoS botnet a network of compromised machines (bots, zombies, or agents) controlled by the attacker attacker / master machine that is physically used by the bot master / herder can be anywhere with any type of internet connection stepping stone attacker can use 1 or more stepping stones to hide his or her true identity and location typically, there is a telnet connection between botnet master and its stepping stones due to legal issues and physical location, using stepping stones located in foreign countries make it much more difficult to trace the original attacker

DDoS Attacks: Botnet (cont.) Botnet for DDoS (cont.) handler a computer that have been compromised by the bot master and loaded with special applications to manage agents handlers accept commands from the attackers by way of stepping stones and relay those commands to waiting agents each handler is responsible for (only) a group of agents if handlers communicate with their respective agents via TCP connections, they will get/have a list of agents IP addresses bot / zombie / agent a compromised 3 rd party machine with the injected malware real power of the botnet capable of launching attack and/or propagating itself to other machines largest known botnet: Mariposa, 8-12 million bots (2008)

DDoS Attacks: Botnet (cont.) hacker s PC machines owned by hacker but in different locations compromised machines controlled by hacker compromised machines with malware http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.94.540&rep=rep1&type=pdf

DDoS Attacks: Botnet (cont.) Botnet Propagation vulnerability scan manual propagation involving systematic scanning / searching for hosts with particular vulnerabilities worm exploits automated propagation process via worms that traverse the Internet infecting hosts and installing the agent software web based malware exploits automated propagation by means of drive-by-download from compromised web sites botnet takeover e.g., by sniffing the password that a bot herder users to log into its botnet handlers

Mariposa Botnet 8 12 million bots at its peak spreading: via instant messages, P2P connections, removable drivers, primary purpose/operation: steal login info (banks, socialnetworking sites, ), steal important files found on hard drives, hijack search results, secondary purpose - botnet was also available for rent and has performed other underground operations takeover - May 2009, Mariposa Working Group temporarily seized control of C&C servers arrests - 2010, several Spanish & one Slovenian citizen arrested http://community.trendmicro.com/t5/web-threat-spotlight/mariposa-botnet-uses-autorun-worms-to-spread/ba-p/4596

DDoS Attacks: Botnet (cont.) Botnet: to Build or to Rent? building a botnet - ready to use development kits are available on the black market - packages containing C&C software & bot software Dirt Jumper sophisticated software with a HTTP C&C server & SQL database for keeping track of infected bots requires technical expertise and is time consuming How To Build A Botnet In 15 Minutes http://readwrite.com/2013/07/31/how-to-build-abotnet-in-15-minutes#awesm=~ozr0p2dbqfuhlu A beginner s guide to building botnets with little assembly required http://arstechnica.com/security/2013/04/abeginners-guide-to-building-botnets-with-littleassembly-required/

DDoS Attacks: Botnet (cont.) Botnet: to Build or to Rent? renting a botnet several $100 for a day of botnet rent https://blog.damballa.com/archives/330

http://www.mportal.com/growing-cyber-threat-mobile-botnets/

Reflector & Amplified DDoS Direct DDoS attacks agents conducting the attack are compromise systems running the attacker s program the source IP addresses in attacking packets are often spoofed => the victim s responses are scattered throughout the Internet protocols used: any ICMP, TCP, UDP, DNS, HTTP, source IP = true or random IP destination IP = Victim s IP

Amplified & Reflector DDoS (cont.) Reflector DDoSattacks indirect attack utilizing innocent uncompromised intermediate nodes and any simple request-reply protocols the source IP address in attacking packet = spoofed victim s IP aims to obscure the identity of attacking machines destination IP = Reflector IP source IP = Victim IP

Amplified & Reflector DDoS (cont.) Example: HTTP Reflector DDoS possible or not?! HTTP runs on top of an established TCP connection. Impossible to send an HTTP request to the Victim without a valid 3-way TCP handshake. HTTP is not a simple request-reply protocol => reflector attack not possible. Attacker Reflector Victim source IP = Victim IP SYN destination IP = Reflector IP SYN-ACK

Amplified & Reflector DDoS (cont.) Example: DNS Reflector DDoS possible or not?! DNS runs on top of UDP (or TCP), and acts as a simple request-reply protocol => reflector attack possible.

Amplified & Reflector DDoS (cont.) Amplified DDoS attacks variant of reflector attack aim to generate multiple reflector packets for each original packet set can be achieved by directing original requests to a broadcast address of a large LAN e.g., ICMP echo request to 129.1.0.0 => multiple echo replies TCP cannot be used as it is connection oriented

Amplified & Reflector DDoS (cont.) Example: DNS Amplification DDoS using recursive resolution http://blog.isc2.org/.a/6a00e54f109b6788340168e901b1c1970c-pi

http://www.expertsmind.com/questions/dns-message-application-layer-30140518.aspx https://isc.sans.edu/diary/when+attackers+use+your+dns+to+check+for+the+sites+you+are+visiting/16955

DDoS Defences Classical DDoS Defences Attack Prevention before attack up-to-date anti-malware to prevent the creation of botnets monitoring of traffic by ISP, or cyber-spies, to detect packets between attackers and stepping-stones / handlers

DDoS Defences (cont.) Classical DDoS Defences (cont.) Attack Detection and Filtering during attack detection at destination: monitoring for know attack signatures (e.g., a flood of TCP SYN-ACK packets) filtering at destination: victim s firewall drops packets from suspicious / blacklisted IP addresses filtering at source: ISP drops packets with spoofed IP addr.

http://www.marketingtechblog.com/content-delivery-network/ DDoS Defences (cont.) Modern Lines of DDoS Defence Content Delivery Networks (Akamai) web-site content is placed on multiple/redundant locations users are directed to geographically closest servers multiple server => no single point of failure

DDoS Defences (cont.) Modern Lines of DDoS Defence (cont.) Scrubbing Centers (Prolexic) packets destined for an enterprise are routed through, and screened by, a special cloud-based network of routers if an attack pattern is identified => suspicious packets are dropped before reaching the victim (i.e., victim s last link )

New Trends in DDoS Application-Layer DDoS Attacks fastest growing category of DDoS attacks hard to distinguish between legitimate & malicious HTTP requests http://www.prolexic.com/kcresources/attack-report/prolexic-quarterly-global-ddos-attack-report-q412-011713/prolexic_quarterly_global_ddos_attack_report_q412_011413.pdf

New Trends in DDoS (cont.) How Browser Works base HTML page retrieved first; then HTML page gets parsed and individual objects (images, scripts, videos, ) are subsequently retrieved What if one of the objects/images referred in the base HTML is in fact hosted on a different server?!

Application-Layer DDoS (cont.) Puppetnets mechanism of conducting HTTP DDoS by exploiting (hijacking) legitimate / uninfected machines e.g., a popular web-page is infected with a malicious HTML code that generates HTTP requests to the victim infected Web server (196.87.44.1) 1) normal HTTP requests are sent to infected server 2) attack instructions are piggybacked in the base HTML code that is sent back to the requesting clients attack traffic HTML page <img src=http://196.87.44.1/picture.jpg> <img src= http://128.7.35.9/picture.gif > victim site (128.7.35.9) legitimate machines that end up executing the DDoS attack = PUPPETNET

Application-Layer DDoS (cont.) Puppetnets (cont.) advantages for attacker minimal cost puppet-bots are generally trusted with good history - harder to detect, and not subject to black-listing or firewall blocking disadvantages for attacker very dynamic bot population attacks cannot be fully controlled or predicted

Application-Layer DDoS (cont.) Million-Browser Botnet August 2013, researchers from White-Hat Security managed to create a puppetnet consisting of a million hijacked browsers using WWW Ad-s Web server hosting a 3 rd party Web-Ad (Web-Ad carries malicious code) malicious code in Web-Ad JavaScript in HTML code var i = 1; img = new Image(); while(true) { img.src = 128.7.35.9/picture.gif ; i++; } attack traffic victim site (128.7.35.9)

Application-Layer DDoS (cont.) Example: Advertising on WWW https://media.blackhat.com/us-13/us-13-grossman-million-browser-botnet.pdf